ZDI and vendors worked together to publicly disclose 286 advisories in 2013. We paid out more than $2.1 million (USD) to researchers in vulnerability purchases, rewards and contest payouts. That’s a considerable sum and evidence of HP’s commitment to security research and responsible disclosure. It also provided great zero-day protection for users of HP’s Tipping Point IPS and -- possibly more importantly -- made the ecosystem safer for everybody.

Our external researchers took advantage of the bonuses offered in our benefits program in 2013. We had 25 researchers reach reward bonus levels in 2013. Ten of the researchers reached the Diamond level – the highest level in the program -- which is a record. More interesting is that two of those researchers achieved this status through case submission alone (no contests and no multipliers) in their first year. Seriously. This follows a trend we’ve seen recently -- new researchers joining with high-quality submissions and excellent analysis. Naturally this work is valued and well-rewarded in our program.

Last year brought its fair share of use-after-frees, buffer overflows, and directory traversals, but one of our favorite types of vulnerability was the Java sandbox bypass. Our external researchers’ focus on Java didn’t, however, result in it being the most targeted application of 2013. That spot went to Microsoft’s Internet Explorer. We witnessed a 123% increase in submissions by our external researchers for this specific software over the previous year. What was the reason for this increase? There are most likely multiple reasons. One is that many of our researchers, who used to focus on file-format or server-side issues, have moved on to tackle the complexity of browsers. Another reason is that there were several highly publicized, targeted attacks that utilized Internet Explorer as the initial vector to gain remote code execution. This additional attention almost always generates new submissions as researchers tweak their fuzzers based on publicly available proofs of concept.

Of the over 65 different applications targeted by our researchers, the top products in order of popularity were:

Microsoft Internet Explorer

Oracle Java

Hewlett-Packard Intelligent Management Center

Apple QuickTime

Hewlett-Packard Data Protector

The upshot of analyzing all this case data is that we get a good view of the threat landscape. Each product presents a unique attack surface, and with enough time and persistence our researchers were able to pinpoint previously undiscovered weaknesses. With the focus on the browser, it is not surprising to see use-after-free and other memory corruption issues top the list as the most common vulnerability types uncovered by our researcher community.

One interesting vulnerability type that showed up often this year was directory traversal. During the year, many researchers started digging deeper into the code behind web services and it just so happens that it is littered with directory-traversal issues. This type of issue typically results in arbitrary file writes with attacker-controlled data, or disclosure of sensitive information that could later be used to compromise the application.

Finally, we turn our attention to the vendors and examine how they performed last year. The Zero Day Initiative has a unique perspective on how vendors handle vulnerabilities discovered in their products. We get the opportunity to work through the process of responsible disclosure with every major software vendor’s security response team. Some vendors’ response teams are well-oiled machines and others, well, could use some oil. All that said, the top 10 vendors on average took 122 days to fix a vulnerability coming from the Zero Day Initiative in 2013. On that note, here are the top five vendors of applications targeted by our researchers in 2013:

Microsoft

Hewlett-Packard

Oracle

Apple

EMC

(If you slice the submission data by most popular vendor targeted, you witness EMC joining the list of popular targets. In fact, vulnerabilities in three different EMC products were submitted during the year.)

Looking ahead in 2014, we will continue to work to make vulnerability research attractive to white hat researchers and encourage responsible disclosure of critical issues. We expect to see continued focus on the mobile attack surface, embedded software, and SCADA. Another interesting trend we are seeing is researchers finding vulnerabilities in security software itself. Will attackers start taking advantage of the very software and systems designed to protect against attacks? Only time will tell. No matter what happens, ZDI will be there to help by incentivizing researchers to responsibly disclose vulnerabilities and secure the software we all rely on.

This post is both a taste and a snapshot – you can find a lot more detail in our episode 10 podcast (on the web or iTunes) and accompanying report – including wrap-ups of both of 2013’s Pwn2Own and Mobile Pwn2Own contests.

Not enough for you? Want more data on different aspects of security, including vulnerabilities, malware and mobile? Then might I shamelessly suggest the HP Security Research 2013 Risk Report - as luck would have it, serendipitously released today? Get it while the data’s fresh.